[ https://issues.apache.org/jira/browse/CASSANDRA-18875?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17790777#comment-17790777 ]
Raymond Huffman commented on CASSANDRA-18875: --------------------------------------------- [~brandon.williams] Here's a patch for trunk that upgrades to snakeyaml 2.2 https://github.com/apache/cassandra/pull/2941 > Upgrade the snakeyaml library version > ------------------------------------- > > Key: CASSANDRA-18875 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18875 > Project: Cassandra > Issue Type: Task > Components: Local/Config > Reporter: Jai Bheemsen Rao Dhanwada > Priority: Normal > Fix For: 5.x > > > Apache cassandra uses 1.26 version of snakeyaml dependency and there are > several > [vulnerabilities|https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.26#] > in this version that can be fixed by upgrading to 2.x version. I understand > that this is not security issue as cassandra already uses SafeConstructor and > is not a vulnerability under OWASP, so there are no plans to fix it as per > CASSANDRA-18122 > > Cassandra as a open source used and distributed by many enterprise customers > and also when downloading cassandra as tar and using it external scanners are > not aware of the implementation of SafeConstructor have no idea if it's > vulnerable or not. > Can we consider upgrading the version to 2.x in the next releases as > snakeyaml is not something that has a large dependency between the major and > minor versions. I am happy to open a PR for this. Please let me know your > thoughts on this. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org